They don't need to do what Iran did. What Iran did was get a cert that was automatically trusted by nearly every web browser in the world because the issuer was a trusted CA by default. You only need a trusted cert if you don't want users to get a warning. Iran was trying to be sneaky. Pakistan is up front about wanting to monitor traffic. They can use any cert they want. They could use a self signed cert to proxy SSL. Sure, the browser will complain that it's not a trusted cert, but the government is already saying they are going to monitor everything. If users add the cert to the "trusted" list they won't get the warning anymore.